sync: auto-sync from HOWARD-HOME at 2026-06-25 19:48:41
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 19:48:41
This commit is contained in:
@@ -0,0 +1,152 @@
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
Set up the long-deferred shared-drive access for Nick Pafford at Rednour Law Offices (Syncro
|
||||
#32343, open as a P2 item since 2026-05-31). The "shared drive" was never pinned down in prior
|
||||
sessions; this session identified it as the **`Documents` SMB share on REDNOURCARRIEVI**
|
||||
(`C:\Users\Carrie\Documents`) by running `Get-SmbShare` across all three GuruRMM-enrolled
|
||||
workstations. Rednour is a workgroup (no AD), so access requires a local Windows account on that
|
||||
PC; the share was previously reached only via the local `emma` account (an active local account,
|
||||
unrelated to the M365 Emma->Carla mailbox rename).
|
||||
|
||||
After confirming the target with Howard and collecting decisions (dedicated account, Modify
|
||||
access, LAN connectivity, Apple Silicon Mac), created a dedicated standard local account `nick`
|
||||
on REDNOURCARRIEVI with PasswordNeverExpires, granted **share = Change** and **NTFS = Modify**
|
||||
on the Documents folder. The credential was vaulted at
|
||||
`clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Howard mounted the share on Nick's Apple
|
||||
Silicon Mac onsite (`smb://192.168.10.194/Documents`) and confirmed it working.
|
||||
|
||||
The GuruRMM macOS agent install on Nick's Mac failed. Server-side checks showed the install
|
||||
script + binary endpoints both return HTTP 200 (3.96 MB single-arch aarch64), so the artifact is
|
||||
served fine. Root-cause hypothesis: the served aarch64 binary is **unsigned**, and Apple Silicon
|
||||
SIGKILLs unsigned Mach-O binaries, so the LaunchDaemon never runs. The repo has
|
||||
`agent/build-macos-signed.sh` (signs with Mike's Developer ID + notarizes) alongside the plain
|
||||
unsigned `agent/build-macos.sh` — the server is almost certainly publishing the unsigned one.
|
||||
Flagged via coord todo (project gururmm) and in the wiki; deferred for a fix (Howard only had a
|
||||
limited ScreenConnect support session).
|
||||
|
||||
Documentation was updated: wiki `clients/rednour.md` (Nick share marked done, new File Shares
|
||||
section, macOS-unsigned-agent known issue, return-visit + RMM-fail open items), an errorlog
|
||||
friction entry, and a new memory on the RMM Set-Acl timeout. Billing and the Syncro internal
|
||||
note were explicitly deferred to tomorrow per Howard — no Syncro writes were made this session.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Dedicated `nick` local account** over reusing the existing `emma`/`localadmin` creds — per-user
|
||||
accountability; `emma` is confusingly named and `localadmin` is over-privileged.
|
||||
- **Modify (read/write)** on the Documents share, matching a normal working-folder need.
|
||||
- **Generate the password locally in the Bash tool and inject via placeholder** after two RMM
|
||||
command timeouts lost the on-box-generated password (stdout is dropped on timeout). Final
|
||||
password was set to a Howard-specified value.
|
||||
- **NTFS grant via `icacls` (folder-only ACE, inheritance handles children)** instead of
|
||||
PowerShell `Set-Acl` re-stamping the whole tree, which was the step that timed out.
|
||||
- **Defer all Syncro billing + the internal note to tomorrow** (Howard's call). Noted that Syncro
|
||||
supports multiple invoices per ticket, so the already-Invoiced #32343 can still take a new
|
||||
invoice for today's onsite labor.
|
||||
- **Updated the wiki directly** (vs `/wiki-compile`) at Howard's request, given the targeted
|
||||
factual changes and that he was wrapping up onsite.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **RMM command timeouts on ACL propagation.** PowerShell `Set-Acl` with inheritance on Carrie's
|
||||
large Documents tree exceeded `timeout_seconds` (90s, then 120s); since stdout is dropped on
|
||||
timeout, the randomly-generated password printed in the same script was lost twice. Resolved by
|
||||
generating the password locally (retained regardless of timeout), setting it in an isolated
|
||||
fast command, and applying the NTFS ACE with `icacls` (no `/T`). Logged to errorlog (`rmm/acl`,
|
||||
--friction) and saved as memory `feedback_rmm_setacl_timeout_password_loss`.
|
||||
- **GuruRMM macOS agent did not install** on Nick's Apple Silicon Mac — server serves the binary
|
||||
fine; hypothesis is the served aarch64 binary is unsigned (SIGKILL on Apple Silicon). Deferred;
|
||||
coord todo filed.
|
||||
- **Ticket #32343 is `Invoiced`, not `Resolved`** (wiki was stale). A new labor line would not
|
||||
land on the existing invoice; surfaced to Howard, who deferred billing to tomorrow.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
**REDNOURCARRIEVI (client machine, via GuruRMM):**
|
||||
- Created local user `nick` (FullName "Nick Pafford", standard user, member of Users,
|
||||
PasswordNeverExpires, AccountNeverExpires).
|
||||
- `Documents` SMB share: granted `REDNOURCARRIEVI\nick` = Change.
|
||||
- NTFS on `C:\Users\Carrie\Documents`: granted `REDNOURCARRIEVI\nick` = Modify (OI)(CI).
|
||||
|
||||
**ClaudeTools repo (committed + pushed):**
|
||||
- `wiki/clients/rednour.md` — Nick share done; File Shares section; macOS-unsigned known issue;
|
||||
return-visit + RMM-fail open items; contact row updated.
|
||||
- `errorlog.md` — rmm/acl friction entry.
|
||||
- `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md` + `.claude/memory/MEMORY.md` index.
|
||||
|
||||
**Vault repo (committed + pushed):**
|
||||
- `clients/rednour/nick-smb-rednourcarrievi.sops.yaml` — new credential entry.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- **Nick Pafford SMB account** — `REDNOURCARRIEVI\nick` / `Kg5Qe2Kc3` (PasswordNeverExpires).
|
||||
Vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. For SMB access to
|
||||
`\\REDNOURCARRIEVI\Documents` (share=Change, NTFS=Modify). Mac mount:
|
||||
`smb://192.168.10.194/Documents`.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **REDNOURCARRIEVI** — Carrie Rednour's workstation; 192.168.10.194 (LAN) / 10.147.17.253
|
||||
(ZeroTier). GuruRMM agent id `8e4e2221-7e2a-4a6f-9eda-864568539961`, client "Rednour Law
|
||||
Offices", site "Main".
|
||||
- **SMB shares on REDNOURCARRIEVI:** `Documents` + `ShareName` (both -> `C:\Users\Carrie\Documents`),
|
||||
`Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. Several
|
||||
over-broad (Everyone=Full on Program Files/Users/Time Matters) — security cleanup candidate.
|
||||
- **Local accounts on REDNOURCARRIEVI:** Carrie, emma (active), localadmin, guru,
|
||||
QBDataServiceUser26, + new `nick`.
|
||||
- **GuruRMM macOS install (site GREEN-FALCON-7214):** install script
|
||||
`https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos` (HTTP 200); binary
|
||||
`.../download/macos` (HTTP 200, 3.96 MB, single-arch aarch64, default Apple Silicon).
|
||||
- **Rednour (Syncro):** customer "Rednour Law" id 1224246, prepay_hours 0.0; ticket #32343
|
||||
(id 111409967) status Invoiced, owner Mike (1735).
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
```bash
|
||||
# RMM auth + find Rednour agents
|
||||
eval "$(bash .claude/scripts/rmm-auth.sh)"
|
||||
# Get-SmbShare across 3 PCs -> Documents share on REDNOURCARRIEVI = C:\Users\Carrie\Documents
|
||||
|
||||
# Create account + share grant (share succeeded; Set-Acl timed out)
|
||||
New-LocalUser nick / Grant-SmbShareAccess Documents Change / Set-Acl (TIMEOUT 90s)
|
||||
|
||||
# Recover: set known password (fast), apply NTFS via icacls (folder ACE)
|
||||
Set-LocalUser nick -Password Kg5Qe2Kc3 -PasswordNeverExpires $true # OK
|
||||
icacls "C:\Users\Carrie\Documents" /grant "REDNOURCARRIEVI\nick:(OI)(CI)M"
|
||||
|
||||
# Vault
|
||||
bash .claude/skills/vault/scripts/vault-helper.sh new clients/rednour/nick-smb-rednourcarrievi ...
|
||||
|
||||
# Coord todo (gururmm macOS signing fix)
|
||||
coord.py todo add "GuruRMM macOS agent install fails on Apple Silicon ..." --project gururmm
|
||||
# id=6f2d22be-e653-48c8-9f9b-0155420b315d
|
||||
```
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Syncro #32343 billing — tomorrow.** 0.5h onsite labor (product 26118, $175/hr, $87.50) for
|
||||
today's share setup, plus the internal work note. Deferred by Howard. Ticket is Invoiced;
|
||||
attach a new invoice (Syncro allows multiple per ticket). prepay_hours 0.0.
|
||||
- **Fix GuruRMM macOS agent for Apple Silicon** (coord todo 6f2d22be) — serve the signed+notarized
|
||||
arm64 binary (build-macos-signed.sh) or ad-hoc `codesign -s -` in the install script. Then enroll
|
||||
Nick's Mac. Confirm root cause with Mac log (`killed: 9` / `sudo /usr/local/bin/gururmm-agent run`).
|
||||
- **Auto-reconnect on Nick's Mac** — add the mounted Documents volume to System Settings > General >
|
||||
Login Items (the "+" in Connect to Server only adds a Favorite, not auto-mount). To be done in
|
||||
Nick's user session.
|
||||
- **Return visit** — phone + printer setup at Rednour; may require running a new wire / installing a
|
||||
switch.
|
||||
- **Security cleanup (lower priority):** over-broad Everyone=Full shares on REDNOURCARRIEVI.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro ticket #32343: https://computerguru.syncromsp.com/tickets/111409967
|
||||
- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`
|
||||
- Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm)
|
||||
- GuruRMM agent (REDNOURCARRIEVI): 8e4e2221-7e2a-4a6f-9eda-864568539961
|
||||
- macOS build scripts: `projects/msp-tools/guru-rmm/agent/build-macos.sh` (unsigned),
|
||||
`build-macos-signed.sh` (Developer ID: MICHAEL PHILLIP SWANSON N2LVAL4LQP), `build-macos-pkg.sh`
|
||||
- Memory: `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md`
|
||||
Reference in New Issue
Block a user